b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  The Internal Revenue Service Adequately\n                   Protected Sensitive Data and Restored\n                  Computer Operations After the Flooding of\n                          Its Headquarters Building\n\n\n\n                                        January 26, 2007\n\n                              Reference Number: 2007-20-023\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           January 26, 2007\n\n\n MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Internal Revenue Service Adequately\n                             Protected Sensitive Data and Restored Computer Operations After the\n                             Flooding of Its Headquarters Building (Audit # 200620041)\n\n This report presents the results of our review to evaluate the actions taken by the Internal\n Revenue Service (IRS) in response to the flooding of its Headquarters building. Specifically, we\n determined whether the IRS adequately protected data and computer operations and sufficiently\n recovered its computer systems and data damaged or disrupted by the flooding. The Senate\n Finance Committee requested that the Treasury Inspector General for Tax Administration\n determine the extent and nature of disruption to IRS operations and identify the functions and\n locations that have been most affected as a result of the flooding. This audit is one of three\n reviews that the Treasury Inspector General for Tax Administration initiated to answer the\n Senate Finance Committee\xe2\x80\x99s request.\n\n Impact on the Taxpayer\n The flooding disaster at the IRS Headquarters building in Washington, D.C., could have resulted\n in the loss of taxpayer data and disruption in computer operations. However, due to preparatory\n and responsive actions, the IRS adequately protected sensitive data in the aftermath of the\n flooding and restored computer operations for its Headquarters employees.\n\n Synopsis\n A rare tropical deluge over the Washington, D.C., metropolitan area on June 24 and 25, 2006,\n unleashed floods of water that swamped the Federal Triangle area of the nation\xe2\x80\x99s capital and\n forced an estimated 3 million gallons of water into the basement and subbasement of the IRS\n Headquarters building at 1111 Constitution Avenue, NW. Due to cleanup activities, health\n\x0c                       The Internal Revenue Service Adequately Protected Sensitive\n                       Data and Restored Computer Operations After the Flooding of\n                                        Its Headquarters Building\n\n\nconcerns, and the lack of electricity and ventilation, the building was closed and could not be\nimmediately reoccupied. The building reopened in December 2006. The Headquarters building\nhouses more than 2,200 employees from various IRS business units, including many top-level\nmanagement officials.\nPerimeter security was always maintained at the Headquarters building, and entry was tightly\ncontrolled after the flooding occurred. As a result,\ntaxpayer data stored in the entire building were\nadequately protected against the risk of unauthorized      Taxpayer data stored in the entire\naccess. In addition, damaged equipment and destroyed           building were adequately\ntaxpayer data stored in the basement were properly            protected against the risk of\nprotected and disposed of.                                 unauthorized access. In addition,\n                                                                           destroyed taxpayer data stored in\nA little more than 1 month after the flooding, the             the basement were properly\nAgency-Wide Shared Services Division had completed              protected and disposed of.\nworkstation space arrangements for displaced employees\nin 15 different locations in the District of Columbia,\nMaryland, and Virginia. Within the same time period, the Modernization and Information\nTechnology Services (MITS) organization had located unassigned computers for those\nemployees without computers, configured the computers to fit each employee\xe2\x80\x99s needs, and\nprovided technical support to allow employees to reconnect to the IRS network.\nThe MITS organization restored computer infrastructure operations that existed in the\nHeadquarters building prior to the flooding. A Wage and Investment Division computer\napplication system, the only mainframe application operating out of the Headquarters building,\nwas reestablished at a mainframe computer in another site within 2 calendar days after the\nflooding. Other critical servers1 were moved from the Headquarters building to another IRS\nfacility and restored for availability to employees within 8 calendar days after the flooding.\nMany other vital servers were moved and restored within 2 weeks after the flooding.\nWe commend the efforts of the IRS and believe the actions taken by the IRS protected taxpayer\ndata and minimized the disruption of computer operations caused by the flooding. However, we\nfound the tracking of computer assets removed from the building was not initiated timely. For\nexample, several Wage and Investment Division servers were removed from the Headquarters\nbuilding without the knowledge or approval of the MITS organization. These servers were\ntemporarily stored overnight in non-IRS space. Also, the Criminal Investigation Division\nremoved many servers from the building before the asset tracking system was implemented.\nMITS organization employees were unable to perform a physical inventory validation of\ncomputers remaining in the building because the building was closed. However, now that the\nbuilding has reopened, the annual physical inventory validation is scheduled to begin in\n\n1\n    A server is a computer that delivers information and software to other computers linked by a network.\n                                                                                                               2\n\x0c                The Internal Revenue Service Adequately Protected Sensitive\n                Data and Restored Computer Operations After the Flooding of\n                                 Its Headquarters Building\n\n\nJanuary 2007. We encourage the completion of this inventory validation because it will provide\ndocumented evidence that all computers are properly accounted for.\n\nRecommendation\nThe Chief, Agency-Wide Shared Services, should ensure the Incident Management Plans for all\nIRS locations include the implementation of an asset tracking system and related processes\nimmediately after a disaster.\n\nResponse\nThe Chief, Agency-Wide Shared Services, agreed with our findings and recommendation. The\nDirector, Agency-Wide Shared Services Employee Support Services, developed and\nimplemented an Emergency Incident Asset Retrieval form, which has been incorporated into the\nIncident Management Plan Addendum. In addition, incident management planning was updated\nto include the asset tracking process, and training was provided to appropriate personnel.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\nPlease contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant\nInspector General for Audit (Information Systems Programs), at (202) 622-8510.\n\n\n\n\n                                                                                                 3\n\x0c                       The Internal Revenue Service Adequately Protected Sensitive\n                       Data and Restored Computer Operations After the Flooding of\n                                        Its Headquarters Building\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Internal Revenue Service Adequately Protected Sensitive\n          Data in the Aftermath of the Flooding Disaster............................................Page 3\n                    Recommendation 1:..........................................................Page 8\n\n          The Internal Revenue Service Adequately Restored Computer\n          Operations for Its Employees After the Flooding Disaster...........................Page 8\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 11\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 12\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 13\n\x0c        The Internal Revenue Service Adequately Protected Sensitive\n        Data and Restored Computer Operations After the Flooding of\n                         Its Headquarters Building\n\n\n\n\n                       Abbreviations\n\nAWSS             Agency-Wide Shared Services\nCI               Criminal Investigation\nIRS              Internal Revenue Service\nMITS             Modernization and Information Technology Services\nTIGTA            Treasury Inspector General for Tax Administration\nW&I              Wage and Investment\n\x0c                     The Internal Revenue Service Adequately Protected Sensitive\n                     Data and Restored Computer Operations After the Flooding of\n                                      Its Headquarters Building\n\n\n\n\n                                              Background\n\nA rare tropical deluge over the Washington, D.C., metropolitan area on June 24 and 25, 2006,\nunleashed floods of water that swamped the Federal Triangle area of the nation\xe2\x80\x99s capital and\nforced the closure of many Federal Government offices, including the Internal Revenue Service\n(IRS) Headquarters building at 1111 Constitution Avenue, NW. Electrical and maintenance\nequipment in the subbasement of the building was submerged in more than 20 feet of water.\nAlso, the basement of the building, which contained additional electrical equipment, a health\nfitness facility, stored records, computer equipment, and vehicles garaged in the building, was\npartially submerged.\n\n\n\n\nOn early Monday morning, floodwaters submerge        The floodwaters surrounding the IRS building broke\nConstitution Avenue and engulf the IRS building.     through windows in several rooms in the basement of\n(Photo provided by the IRS)                          the IRS building. (Photo provided by the IRS)\n\n\nThe IRS Headquarters building houses more than 2,200 employees from various IRS business\nunits. Among these employees are the top-level management officials, such as the\nCommissioner and Deputy Commissioners.\nOn July 6, 2006, the Assistant Secretary for Management, Department of the Treasury, met with\nthe Treasury Inspector General for Tax Administration (TIGTA) and expressed concern about\nhow the IRS was responding to the disaster. On July 12, 2006, the ranking member of the Senate\nFinance Committee sent a letter to the Inspector General requesting that the TIGTA determine\nthe extent and nature of disruption to IRS operations and identify the functions and locations that\nhave been most affected by the flooding. As a result, the TIGTA Office of Audit initiated three\naudits to answer concerns about the flooding disaster at the IRS Headquarters building. This\nreview focused on data security and computer operations, while the objectives of the other\n\n                                                                                                   Page 1\n\x0c                   The Internal Revenue Service Adequately Protected Sensitive\n                   Data and Restored Computer Operations After the Flooding of\n                                    Its Headquarters Building\n\n\nreviews1 relate to general business resumption efforts and determining the costs related to the\nflooding disaster.\nThis review was performed at the IRS National Headquarters in Washington, D.C.; the IRS\nOffice of Chief Counsel at 950 L\xe2\x80\x99Enfant Place, Washington, D.C.; the New Carrollton Federal\nBuilding at 5000 Ellin Road, Lanham, Maryland; and the IRS Real Estate and Facilities\nManagement office at 2221 South Clark Street, Crystal City, Virginia, during the period July\nthrough October 2006. The audit was conducted in accordance with Government Auditing\nStandards. Detailed information on our audit objective, scope, and methodology is presented in\nAppendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n1\n  The Internal Revenue Service Building Flood Caused No Measurable Impact on Tax Administration (draft report\nissued November 28, 2006) and Replacement Costs for Flood Damage to the Internal Revenue Service National\nHeadquarters (Audit Number 200710031, Engagement letter issued November 30, 2006).\n                                                                                                       Page 2\n\x0c                   The Internal Revenue Service Adequately Protected Sensitive\n                   Data and Restored Computer Operations After the Flooding of\n                                    Its Headquarters Building\n\n\n\n\n                                     Results of Review\n\nThe Internal Revenue Service Adequately Protected Sensitive Data in\nthe Aftermath of the Flooding Disaster\nThe flooding into the IRS\xe2\x80\x99 Headquarters building occurred on Sunday evening,\nJune 25, 2006. The building was unoccupied at the time except for the usual security guards\nposted at the perimeter. A short-circuit in the electrical system caused by the flooding set off the\nfire alarm at 10:45 p.m., and a security guard contacted the IRS building manager. The building\nmanager promptly went to the building to assess the situation. At that point, Constitution\nAvenue was under 3 feet of water. Within 2 hours of arriving, the building manager had\narranged for water pumps to begin pumping water out of the basement. On Monday, June 26,\n2 other firms, 1 under contract by the General Services Administration and another under\ncontract by the IRS, joined the first group in the removal of an estimated 3 million gallons of\nwater.\nThe IRS building manager notified the Incident Commander2 of the flooding at 12:45 a.m. on\nMonday, June 26, 2006, and the Incident Commander contacted key management officials to\nadvise them of the flooding and that the building would be closed for the day. At 3:01 a.m., the\nIncident Commander authorized a message to be sent to all IRS executives advising them of the\nflooding of the building. The Incident Commander enlisted the support of the IRS\nCommunications Officer to contact the local media. By 3:37 a.m., all local television channels\nand a radio station had been contacted for public notification of the building closure. The\nannouncement on the radio also included a contact telephone number for employees to call for\nadditional information. In addition, a voice mail message was issued to all IRS District of\nColumbia employees advising them of the closure of the building for the day, and the IRS\xe2\x80\x99\nofficial web site provided current information on the building closure. Also, on June 26, 2006,\nsenior IRS leadership established operations in another local IRS building in accordance with the\nIRS Business Resumption Plan.3\nAs the water receded, it became apparent that all contents located in the basement had been\ndamaged or destroyed. Doors had been forced from their hinges, some of the windows were\nbroken, and furniture was piled into doorways. Many records were soaked and all computers\nwere damaged. The highest water level in the basement reached approximately 5 feet. The\n\n\n2\n  An Incident Commander is directly responsible for frontline management of an incident. The Incident\nCommander, in conjunction with other onsite business team managers, will develop and implement response\nstrategies and will use existing disaster preparedness documents for the recovery of business operations.\n3\n  The IRS Business Resumption Plan provides guidelines for reestablishing operations after a disaster.\n                                                                                                            Page 3\n\x0c                    The Internal Revenue Service Adequately Protected Sensitive\n                    Data and Restored Computer Operations After the Flooding of\n                                     Its Headquarters Building\n\n\nwater depth in the small subbasement, containing electrical and maintenance equipment, was\nestimated at 20 feet.\n\nPerimeter security was maintained at the building, and entry was tightly\ncontrolled after the flooding occurred\nIn the days following the flooding, the IRS placed additional security guards to prevent any\nunauthorized entry into the building. Physical access into the building was controlled through a\nsingle entry point. All employees entering the building were required to sign in and out. By\nWednesday, June 28, 2006, it was determined by the Incident Commander and senior IRS\nexecutives that the building would be closed for an extended period of time. Because the\nbuilding was secure at all times, taxpayer data maintained throughout the building were not at\nrisk of unauthorized access.\n\nDamaged equipment and destroyed taxpayer data stored in the basement were\nproperly protected and disposed of\nUnsalvageable records stored in the basement included over 100 boxes containing taxpayer and\nother personally identifiable information belonging to the Office of Chief Counsel and the Office\nof the Tax Exempt and Government Entities Division, personnel records of the Criminal\nInvestigation (CI) Division,4 employee medical records maintained by the Health Unit, and\nFreedom of Information Act5 litigation documents. Based on potential health and contamination\nissues caused by the floodwaters and the fact that many of the documents with long-term\nretention periods were replicated in the records of United States District Attorneys and United\nStates District Courts, the National Archives Records Administration approved the destruction of\nthese records. On July 12, 2006, these records were destroyed by the document destruction\ncompany currently under contract with the IRS.\nEmployees of the primary cleaning contractor normally used by the IRS from an existing\ncontract had been screened for suitability of employment; however, the additional\n100 employees used for the emergency cleanup after the flood worked for a subcontractor and\ndid not have security clearances. Cleaning of the flooded building was conducted around the\nclock, with the subcontractor employees working 12-hour shifts. These employees were required\nto sign in and out of the building and were restricted to the basement area. In addition, the\nprimary contractor employees and the security guards on duty at the building monitored the\ncleaning activities. Given these circumstances and mitigating controls in place, we believe the\nuse of unscreened contractors was appropriate to expedite cleanup efforts.\n\n\n\n4\n  The CI Division is responsible for detecting and investigating criminal violations of the Internal Revenue Code and\nfinancially related crimes.\n5\n  5 U.S.C.A. \xc2\xa7 552 (West Supp. 2003).\n                                                                                                             Page 4\n\x0c                    The Internal Revenue Service Adequately Protected Sensitive\n                    Data and Restored Computer Operations After the Flooding of\n                                     Its Headquarters Building\n\n\nIn addition to hardcopy files, Building Management function employees and contractors with\noffices in the basement had computers that were destroyed. These computers did not contain\ntaxpayer information. The CI Division had three computers in the basement, one of which was\nused to issue credentials. The three damaged CI Division computers were taken to the\nCI Division laboratory for security purposes. The CI Division also had 12 new, unused notebook\ncomputers damaged by the flood. In addition, the Office of Chief Counsel had $1.3 million of\nnew, unused computer equipment stored in the basement. None of the new equipment contained\ntaxpayer data. The new computers were disposed of by the contractor responsible for cleaning\nthe basement area.\n\nTracking of computer assets removed from the building was not initiated timely,\nand computers were allowed to be taken out of the building without proper\noversight and accountability\nWhile the flooding disaster mainly affected the basement and subbasement floors, it indirectly\naffected the rest of the building because all electrical and ventilation equipment was damaged\nand would take months to repair or replace. In addition, summer weather temperatures and high\nhumidity levels created concern about contamination and mold growth in the building. As a\nresult, the entire building was closed and deemed unsuitable for employee occupancy.\nTo expedite the resumption of normal operations, the IRS allowed limited and escorted traffic\ninto the building after the flooding. To account for and control building traffic, all persons\nentering and leaving the building were required to sign in and out. Employees were permitted to\nenter the building and remove personal items, files, and computers. For example, many\nemployees who were assigned laptop computers entered the building to retrieve their computers.\nIn some cases, IRS computer desktop support employees helped the employees pack their\ncomputers for shipment to the employees\xe2\x80\x99 new work locations. Some of the larger desktop\ncomputers were removed, but most of these computers remained in the building. The IRS\nprovided replacement computers for these users at their new locations. Procedures for tracking\ncomputer assets in the event of a disaster had not been included in the IRS\xe2\x80\x99 Incident\nManagement Plan.6\nBy Friday, June 30, 2006, the IRS had developed and implemented an asset tracking process to\ntrack the removal of assets, including equipment and records from the IRS Headquarters\nbuilding. Modernization and Information Technology Services (MITS) organization7 managers\nrequested that no computer equipment be moved except under controlled and secure conditions.\nIn addition, employees who had already removed items were asked to retroactively complete the\n\n6\n  An Incident Management Plan describes the overall coordinated actions to be taken by the Incident Management\nteam to ensure recovery and restoration of a facility when an incident occurs.\n7\n  The MITS organization is responsible for providing information technology support and services for the IRS by\nbuilding and maintaining information systems that will help the IRS achieve its mission, objectives, and business\nvision.\n                                                                                                           Page 5\n\x0c                    The Internal Revenue Service Adquatdy Protected SensIthre\n                    Data and Restored Compufer Opemtironr After M e Flooding of\n             p                       /is Headquarters BuMng\n\n\nasset tracking forms so inventory records would show the correct location for eachitem. To\ntheir credit, 148 employees completed the tracking forms, listing the equipment and items they\nhad taken from the building between June 26 and June 29,2006..According to these forms,\n104 computers were removed, including 81 laptop computers. In total, employees removed\n627 computers, includng 464 laptop computers, from the Headquarters building.\'\n         On Wednesday, June 28,2006, seven servers9from the Wage and investment (W&I)\n         Division" were removed from the Headquarters building by contractors and placed in a\n\n\n\n\n         following day, the MITS organization directed the W&I Division to immediately move\n         these servers to a designated R S building and the move was completed that same\'day.\n         Before these computers were reconnected to the IRS network, the IRS tested the\n         computers to ensure compliance with-IRSsecurity standards. The servers have been\n         tracked to their current location.\n         On Wednesday, June 28,2006, and Thursday, June 29, 2006, employees from the\n         CI Division removed 41 computer servers from the Headquarters building using a rented\n         truck. The CI Division was able to move the computers before the asset tracking system\n         was in place because the Division has its own computer staff and did not need assistance\n         from the MITS organization. Prior to the removal of the equipment, the Chief, CI,\n         obtained verbal authorization from the Chief, Agency-Wide Shared Services (AWSS)."\n         The CI Division contends that the computer assets were always under its controI and\n         secure at all.tirnes,and it maintained documentation to verify that its computer assets\n         were being tracked within the Division to their current locations.\n         Many critical servers were moved to two different locations on Friday, June 30,2006.\n         Fifteen serversused by the W&I Division\'s Computer Assisted Publishing SystemI2\n         were moved by a contractor to the IRS Enterprise Computing Center in\n         Martinsburg, West Virginiq where this equipment will remain permanently. The\n\n   The TIGTA obtained current inventory data on.servers removed fiom the building through contacts with the\naffected IRS business units. We considered this information to be sufftcient for achieving our audit objective.\n9\n   A server is a computer that delivers information and softwae to other computers linked by a network.\n10\n    The W&I Division services individual taxpayers and provides the information, support, and assistance these\ntaxpayers need to fulfilltheir tax obligations.\nI \' The AWSS Division provides administrative services to support IRS employees. These se,wicesinclude real\nestate and facilities management, procurements, cqual employment opportunity, trayel, and payroll and personnel.\n\'\'  The Computer Assisted Publishing System provides computer resources to maintain a central printing and\npublication management organization for the development and distribution of published materials for 13 divisions af\nthe lRS.\n                                                                                                           Page 6\n\x0c                   The Internal Revenue Service Adequately Protected Sensitive\n                   Data and Restored Computer Operations After the Flooding of\n                                    Its Headquarters Building\n\n\n         mainframe computer for this System, the only mainframe application operating out of the\n         Headquarters building, was not moved and still resides in the Headquarters building.\n         However, the application was reestablished on another mainframe computer at the\n         Martinsburg location within 2 calendar days after the flooding. Thirty pieces of\n         equipment, including 20 servers deemed critical to IRS operations, were moved the same\n         day by a contractor to the computer room located in the IRS facility in Lanham,\n         Maryland. Some servers provided shared storage space for several IRS business units,\n         and others contained information vital to the Office of the Chief Financial Officer and to\n         the Commissioner\xe2\x80\x99s staff. These two moves were performed securely, with inventory\n         records prepared and verified throughout the moving process. The trucks were\n         accompanied by CI Division special agents to ensure safe arrival at their destinations.\n     \xe2\x80\xa2   One week later, on Friday, July 7, 2006, with 1 freight elevator in the building\n         operational, IRS contract movers were able to more easily transfer 82 pieces of\n         equipment, including 24 additional vital servers, from the Headquarters building to the\n         computer room in the IRS facility in Lanham, Maryland, using required security and\n         inventory controls.\n     \xe2\x80\xa2   A review of IRS inventory records for the Headquarters building, as of August 15, 2006,\n         showed that almost one-half of the servers assigned to the Headquarters building had not\n         been scanned or modified after the date of the flooding event. While it is likely that\n         many of these servers remain inside the building, we cannot be sure because the asset\n         tracking system was not in place until 5 calendar days after the flooding.\nBecause the building was closed, MITS organization employees were unable to perform a\nphysical inventory validation of the workstations and servers remaining in the building. The\nbuilding reopened for occupancy December 8, 2006, and the IRS plans to begin its annual\nphysical inventory in January 2007. We encourage the completion of this inventory validation\nbecause it will provide documented evidence that the computers are still located in the\nHeadquarters building. We had made a similar recommendation during an audit on the IRS\xe2\x80\x99\nefforts for Hurricanes Katrina and Rita.13 Specifically, we recommended the Chief Information\nOfficer establish procedures to conduct a physical inventory validation of all computers at IRS\nfacilities that suffer extensive damage after any major disaster, to identify possible loss or theft\nof computers. In addition, the report stated this validation should be performed within\n30 calendar days after the disaster. Due to the closure of the Headquarters building, we were\nlikewise unable to conduct a physical validation of computer assets located in the building.\n\n\n\n\n13\n The Internal Revenue Service Successfully Accounted for Employees and Restored Computer Operations After\nHurricanes Katrina and Rita (Reference Number 2006-20-068, dated March 2006).\n                                                                                                     Page 7\n\x0c                 The Internal Revenue Service Adequately Protected Sensitive\n                 Data and Restored Computer Operations After the Flooding of\n                                  Its Headquarters Building\n\n\nRecommendation\nRecommendation 1: The Chief, AWSS, should ensure the Incident Management Plans for all\nIRS locations include the implementation of an asset tracking system and related processes\nimmediately after a disaster.\n       Management\xe2\x80\x99s Response: The Chief, AWSS, concurred with the finding and\n       recommendation. The IRS developed and implemented an Emergency Incident Asset\n       Retrieval Tracking form, which has been incorporated into the Incident Management Plan\n       Addendum. In addition, all written material concerning incident management planning\n       has been updated to include asset tracking processes, and training was provided to\n       appropriate personnel.\n\nThe Internal Revenue Service Adequately Restored Computer\nOperations for Its Employees After the Flooding Disaster\nBecause the flooding disaster damaged the electrical and ventilation functions of the building,\nemployees were not allowed to work in the building, which required the IRS to locate temporary\nworkspace for all displaced employees. This responsibility was assigned to the AWSS Division.\nBusiness Resumption Coordinators for each of the business units provided the Incident\nCommander with a prioritized list of employees who required space. The AWSS Division\nsecured workstation space arrangements for the displaced employees in 15 different locations in\nthe District of Columbia, Maryland, and Virginia.\nIn addition to finding workspace for displaced employees, the IRS needed to provide them with\ncomputer resources to resume tax administration activities and to move all computer\ninfrastructure operations that existed in the building prior to the flooding. These responsibilities\nwere assigned to the MITS organization. To this end, MITS organization employees worked\nmany hours of overtime that resulted in overtime costs of about $50,000.\nSome employees who regained possession of their computers reported to work at other IRS\noffices and connected directly to the IRS network. For those employees who requested to\ntemporarily work at home, IRS technicians installed secure connectivity software in their\ncomputers so these employees could connect to the IRS network.\nFor displaced employees who reported back to work but did not have computers with which to\nresume their duties, MITS organization personnel were tasked with locating unassigned\ncomputers, visiting the various worksites of displaced employees, and configuring computers to\nfit each employee\xe2\x80\x99s needs. With more than 2,200 displaced employees, this endeavor was\ndaunting, yet the MITS organization provided all employees with assigned computers by\nJuly 28, 2006, a little over 1 month after the flooding occurred.\n\n\n\n                                                                                              Page 8\n\x0c                 The Internal Revenue Service Adequately Protected Sensitive\n                 Data and Restored Computer Operations After the Flooding of\n                                  Its Headquarters Building\n\n\nAdditionally, the IRS provided network data and telephone lines in two new locations that were\nrented for the CI Division and Office of Chief Counsel staffs. Adaptive computer equipment\nrequired by some employees with special needs was moved to their temporary work locations.\nAs previously mentioned, the IRS moved many servers out of the Headquarters building to new\nlocations. The MITS organization timely restored connectivity of these servers to the IRS\nnetwork. For example, MITS organization personnel worked over the weekend to restore the\ncritical servers removed from the building on June 30, 2006; the servers were restored by the\nfollowing Monday, July 3, 2006 (8 calendar days after the flooding). Most of the vital servers\nmoved on Friday, July 7, 2006, were placed into operation that weekend (2 weeks after the\nflooding). In addition, the connectivity of the W&I Division\xe2\x80\x99s Computer Assisted Publishing\nSystem was restored on another mainframe computer at the Enterprise Computing Center in\nMartinsburg, West Virginia, within 2 calendar days. Electronic mail servers and BlackBerry\xe2\x84\xa2\nservers supporting Headquarters building employees were not located in the Headquarters\nbuilding and were not affected by the flooding disaster.\nAlthough the demands created by this disaster required additional equipment and services, the\nIRS did not request additional funding. We commend the efforts of the IRS and believe the\nactions taken by the IRS minimized the disruption caused by the flooding disaster.\n\n\n\n\n                                                                                         Page 9\n\x0c                 The Internal Revenue Service Adequately Protected Sensitive\n                 Data and Restored Computer Operations After the Flooding of\n                                  Its Headquarters Building\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to evaluate the actions taken by the IRS in response to\nthe flooding of its Headquarters building. Specifically, we determined whether the IRS\nadequately protected data and computer operations and sufficiently recovered its computer\nsystems and data damaged or disrupted by the flooding. To accomplish our objective, we:\nI.     Determined whether the IRS protected taxpayer data during and after the flood.\n       A. Assessed the security of the IRS Headquarters building after the disaster.\n       B. Assessed the security of taxpayer records and computer equipment during cleanup\n          activities.\nII.    Determined whether the IRS sufficiently recovered its computer systems and data\n       damaged or disrupted by the flooding.\n       A. Assessed whether the computer operations and related data were timely and\n          adequately restored.\n       B. Assessed whether taxpayer records were being adequately protected by employees\n          who were working in facilities outside the control of the IRS.\n\n\n\n\n                                                                                          Page 10\n\x0c                The Internal Revenue Service Adequately Protected Sensitive\n                Data and Restored Computer Operations After the Flooding of\n                                 Its Headquarters Building\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nStasha Smith, Lead Auditor\nCharles Ekunwe, Senior Auditor\nMyron Gulley, Senior Auditor\n\n\n\n\n                                                                                     Page 11\n\x0c                The Internal Revenue Service Adequately Protected Sensitive\n                Data and Restored Computer Operations After the Flooding of\n                                 Its Headquarters Building\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support\nChief Information Officer OS:CIO\nChief, Mission Assurance and Security Services OS:MA\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief, Agency-Wide Shared Services OS:A\n       Chief, Mission Assurance and Security Services OS:MA\n       Director, Program Oversight OS:CIO:SM:PO\n\n\n\n\n                                                                       Page 12\n\x0c    The Internal Revenue Service Adequately Protected Sensitive\n    Data and Restored Computer Operations After the Flooding of\n                     Its Headquarters Building\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 13\n\x0cThe Internal Revenue Service Adequately Protected Sensitive\nData and Restored Computer Operations After the Flooding of\n                 Its Headquarters Building\n\n\n\n\n                                                       Page 14\n\x0c'